Pension trustees more alert to fraud risks but complacency remains survey finds

A new survey from RSM has found that pension trustees are becoming more alert to fraud risks but are still too complacent when it comes to prevention.

RSM’s annual survey of trustees representing 124 pension schemes found that over half (52 per cent) recognised that fraud presented a significant threat to their scheme, up from 41 per cent last year. 

Fraud has shot up the agenda, according to the survey, with 85 per cent of schemes now including fraud on their risk registers, up from just over a third last year. Meanwhile, almost two thirds of trustees (64 per cent) reported that they had received fraud risk training within the last year, up from just one in five (22 per cent) last year. Despite this improvement, 18 per cent of trustees still did not recognise that they were responsible for the systems of fraud detection and prevention.

However, while trustees are becoming more aware of fraud risks, this isn’t necessarily being translated into action. According to the survey, one third of pension schemes are failing to carry out annual testing of their anti-fraud controls despite being expected to test internal controls at least annually by the Pensions Regulator.

The findings also highlight a marked gap between perceived areas of vulnerability and experience on the ground. Most respondents thought cybercrime and IT breaches pose the greatest threat of fraud to their scheme. Yet the current reality is that perennial risks, such as pensioner existence fraud - whereby fraudsters continue to draw the benefits of deceased members - and pensions liberation scams are still the most commonly detected frauds.

There were also signs of complacency among trustees with respect to cybercrime threats. Although 89 per cent of respondents stated that cybercrime presents a significant threat to the industry, less than half (48 per cent) had received formal cyber risk training in the last year, with many schemes failing to review security measures to prevent and mitigate any such attacks. These security measures include claimant identity testing undertaken by the scheme administrator. This was reviewed by only 21 per cent of respondents while only 20 per cent had a 24-hour cyber incident response plan in place.

Worryingly, the survey also suggests that many schemes are struggling to get ready for the new General Data Protection Regulation (GDPR) which comes into force this May, with 13 per cent saying they have yet to take any action to prepare. Key problem areas include reviewing all contracts with data processors, complying with individuals’ rights to personal data deletion and dealing with tightening of consent requirements.

Ian Bell, head of pensions at audit, tax and consulting firm RSM said:

‘While our survey shows an increasing awareness of the fraud risks facing pensions schemes, it also points to a persistent level of complacency among some trustees.

‘What’s particularly interesting is the mismatch between perceived fraud risk and actual fraudulent activity. Schemes must do much more to uncover ‘old school’ frauds such as relatives continuing to claim payments after a member’s death or tackling suspicious pensions transfer requests, while at the same time staying alert to new and evolving threats such as cybercrime.

‘The fact is that pensions schemes hold a goldmine of personal and financial data so trustees must ensure that they are taking their data protection obligations seriously, particularly with the imminent GDPR rules. Failure to comply might lead to reputational as well as financial risk for those who fall foul.’

Fiona Frobisher, Head of Policy at The Pensions Regulator, said:

‘We welcome reports like this one from RSM. It outlines what pension schemes should be doing to protect members’ savings, from following the correct process to keep savings out of the hands of fraudsters, to having a cyber strategy in case IT systems are breached.

‘It is encouraging that these issues are already on the agendas and risk registers of pension schemes, and they also need to ensure robust internal controls are put in place and are being tested, including by third party providers. Trustees are ultimately accountable for the security of their scheme’s data and assets.’

Download the full survey results here.